Method for communicating entitlement data from a server, related server, client systems and computer program product

ABSTRACT

A server communicates a set of entitlement data representative of the entitlement of a client to access corresponding contents data by using a set of keys and a non-invertible cryptographic function. The cryptographic function is applied to a set of candidate bit strings using the set of keys to find a selected bit string that produces the set of entitlement data as a result of the application of the non-invertible cryptographic function by using the keys in the set. The server and the client share the cryptographic function as well as the set of keys (or the selected bit string). The server transmits to the client the selected bit string (or the set of keys). In either case, the client is thus in a position to apply the cryptographic function to the selected string of bits by using the set of keys, thereby reconstructing the set of entitlement data.

CROSS REFERENCE TO RELATED APPLICATION

This application is a national phase application based onPCT/EP2005/014101, filed Dec. 29, 2005.

FIELD OF THE INVENTION

The present invention relates to techniques for communicatingentitlement data.

The invention was made with specific attention paid to its possibleapplication to expressing so-called digital rights.

DESCRIPTION OF THE RELATED ART

So-called digital rights, namely the rights related to digital goods,are typically expressed by resorting to languages based on generativegrammars of the context-free or context-sensitive type. These languagesare called Rights Expression Languages (RELs) and are used to expressthe rights to use a digital good granted to a user by a Right Issuer(RI). These rights are typically termed a “license” or Rights Object(RO) and are typically represented in an XML (extended Markup Language)format.

All these techniques fall under the general designation of DigitalRights Management (DRM) techniques.

The arrangement disclosed in U.S. Pat. No. 5,715,403 is exemplary of amethod of describing a user's rights by means of a grammar, wherein agrammar is a convenient tool for defining valid sequence of symbols fora language, including for example particular notations to indicatedistinct choices among alternatives, to group items together in lists,to indicate a variable length list, to indicate time, etc. Inparticular, the grammar allows creating instances of usage rightsindicating a manner by which a possessor of an associated digital workis able to use such work, and further specifies a default plurality ofconditions for an instance of a usage right, which must be satisfiedbefore the usage right are exercised. In the arrangement described inU.S. Pat. No. 5,943,422 users' rights are associated to correspondingcontents by inserting therein a non-erasable signal which is essentiallyinvisible to the contents.

U.S. Pat. No. 6,775,655 discloses a full Digital Right Management (DRM)system wherein a decryption key is obtained from the license itself. Nospecific indication is provided concerning the way users' rights arespecified.

NIST Federal Information Processing Standard Publications (FIPS) 180-2“Secure hash standard”, 1 Aug. 2002, pages 3-24, specifies four types ofsecure hash algorithms, namely SHA-1, SHA-256, SHA-384 and SHA-512.These non-invertible cryptographic functions may be advantageouslyapplied within the context of the present invention. Non-invertiblefunctions are functions that can be mathematically formulated but thereis no possibility to get an algebraic solution of the inverse. Anexample is a hash function, which transforms a (large and not fixed)number of bytes in a (small) fixed number of bytes. If for example ahash function H is used to transform a phrase P, composed of an originalstring of bytes with any size, into a digest D with fixed size,according to the equation D=H(P), because of the non-invertibility ofthe function H there can be many different P (maybe with different size)that correspond to the same D.

The text by Bruce Schneier: “Applied cryptography: Protocols,Algorithms, and Source Code in C, Second Edition”, John Wiley & Sons,1996, pp. 429-460, provides both theoretical and practical descriptionsof cryptography and applications thereof including the possible use ofnon-invertible cryptographic functions. The bibliographic data providedtherein give additional indications as to further cryptographicfunctions adapted for use within the context of the present invention.

Finally U.S. Pat. No. 6,735,313 (to which EP-A-1 051 036 corresponds)describes the possible use of hash functions to derive decryption keysfor certain contents.

OBJECT AND SUMMARY OF THE INVENTION

Conventional DRM systems used for protecting generic digital objects(for instance images, music, various types of programs and so on)typically require the source of the contents (namely the entity thatcreates or distributes certain data contents) to decide the rights to begiven to the user or client (e.g. “This song may be played three timesuntil Jan. 1, 2006”). These rights are not expressed in a naturallanguage but rather resorting to certain languages such as RightsExpression Languages (RELs) that can be easily interpreted by thecomputer.

While a number of the prior art arrangements considered in the foregoingprovide viable solutions to the problem of communicating to a userentitlement data (i.e. data expressing the ability for a user to accesscertain digital goods), the need is still felt for improved arrangementsthat may be particularly adapted to those contexts of use whereentitlement data must be communicated in a simple and a reliable mannerfrom a “server” to one or more “clients”, these clients being typicallya high number of clients.

The Applicant has found that the requirements to be preferably fulfilledby such an improved arrangement include the following:

-   -   the rights should be expressed by avoiding the use of a grammar        wherein the set of predicates expressing the rights must be        transmitted from the server to the clients;    -   the enablement message (typically a string of bits) transmitted        from the server to the client(s) should be open to        reconstruction by the client only on the basis of a “secret”        (for instance a set of keys) shared between the server and the        client;    -   each right should be checked independently from the others        without having to perform parsing of any previous rights;    -   while no specific limitations generally exist for processing        time on the server side, processing time on the client side        should be reduced by making it possible to check each and every        right by using hardware accelerators of the type currently used        in cryptographic or DRM systems;    -   each right should be preferably stored in small memory area        while also requiring a small bandwidth to be transmitted; and    -   the provider of the digital good should preferably be in        position to decide if and to what extent calculation (i.e.        construction) of an entitlement right should be made difficult        with the ensuing possibility of creating a computational barrier        against possible forging of data.

The object of the present invention is to provide a response to theneeds outlined in the foregoing.

According to the present invention, that objective is achieved by meansof a method having the features set forth in the claims that follow. Theinvention also relates to a corresponding server system, a relatedclient system as well as a related computer program product, loadable inthe memory of at least one computer and including software code portionsfor performing the steps of the method of the invention when the productis run on a computer. As used herein, reference to such a computerprogram product is intended to be equivalent to reference to acomputer-readable medium containing instructions for controlling acomputer system to coordinate the performance of the method of theinvention. Reference to “at least one computer” is evidently intended tohighlight the possibility for the present invention to be implemented ina distributed/modular fashion.

The claims are an integral part of the disclosure of the inventionprovided herein.

In particular, the Applicant has found that the above objective can beachieved by preliminary sharing between the server and the client anon-invertible cryptographic function and either a string of bits asdefined below or a set of keys, and by transmitting from the server tothe client, without using any grammar, either the bit string (if thekeys have been shared) or the keys (if the string of bits has beenshared). The bit string is determined by the server so as to produce thedesired entitlement data as a result of said non-invertible functionbeing applied to the string of bits by using the set of keys. The maineffort is supported by the server to determine the string of bits, whilethe client can recontruct the entitlement data very easily by applyingagain the non-invertible function.

As will be described in greater detail below, a particularly preferredembodiment of the arrangement described herein is based on the conceptof assigning “true” or “false” values to an ordered set of first-orderpredicates that express the entitlement data and limitations that aretypical of usage licenses of digital goods. The set of predicates ispre-determined and, as a consequence, does not require to be transmittedfrom the server to the client(s).

According to a first aspect thereof, the present invention thus relatesto a method of communicating from a server a set of entitlement datarepresentative of the entitlement of at least one client to accesscorresponding contents data, the method including the steps of:

-   -   providing with the server a set of keys, a non-invertible        function, and a bit string that produces the set of entitlement        data as a result of the non-invertible function being applied to        the selected string of bits by using said set of keys,    -   causing the server (RI) and the at least one client (U) to share        the non-invertible function and one of the set of keys and the        selected bit string, and    -   transmitting from the server (RI) the other of the set of keys        and the selected bit string.

Preferably, the non-invertible function is a non-invertiblecryptographic function.

The method preferably comprises selecting the string of bit out of a setof candidate bit strings.

The method may further include the steps of:

-   -   causing the server and the at least one client to, share the        non-invertible function and the set of keys, and    -   transmitting from the server the bit string.

The non-invertible function preferably has a uniform distribution ofoutputs as a function of its inputs.

Moreover, the non-invertible function is preferably a MessageAuthentication Code (MAC) function.

In particular, the non-invertible function may be a HMAC-x functionwhere x is selected out of the group consisting of:

-   -   HAVAL,    -   MD2, MD4, MD5,    -   N-Hash,    -   RIPEMD (RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-3U),    -   SHA (SHA-0), SHA-1 and SHA-2 (SHA-256, SHA-384, SHA-512),    -   Snefru, Snefru-2    -   Tiger,    -   Whirlpool, Whirlpool-0    -   GOST-Hash,    -   HAS-160, HAS-V,    -   Panama,    -   MGF1.

Preferably, the non-invertible function is selected out of the groupconsisting of HMAC-SHA-1 and HMAC-MD5.

Preferably, providing a set of keys includes the steps of:

-   -   trying different keys until a set of keys producing the set of        entitlement data as a result of the non-invertible function        being applied to the string of bits by using the set of keys is        found.

When the string of bit is selected out from a set of candidate bitstrings, the method may include the steps of:

-   -   orderly selecting the keys in the set of keys,    -   subsequently using each key orderly selected in the set of keys        for applying the non-invertible cryptographic function to newly        generated candidate bit strings in the set of candidate bit        strings.

The method may further include the steps of:

-   -   partitioning the set of entitlement data into at least a first        and a second subset of entitlement data,    -   applying the non-invertible function and the keys of the set of        keys to the at least a first and a second subset of entitlement        data to produce at least a first and a second bit string that        respectively produce the at least a first and a second subset of        entitlement data as a result of the non-invertible cryptographic        function being applied to the at least a first and a second bit        string by using the set of keys, whereby the set of entitlement        data is expressed by the concatenation of the at least a first        and a second bit string.

The at least a first and a second subset of entitlement data may includethe same amount of entitlement data.

The method may also include the steps of:

-   -   receiving at the client the other of the set of keys and the bit        string, and    -   applying the cryptographic function to the string of bits by        using the set of keys, thereby reconstructing at the client the        set entitlement data.

Furthermore, the method may include the steps of:

-   -   the server associating with the entitlement data parametric        values expressing conditions for access by the at least one        client to corresponding contents data, and    -   the client associating such parametric values to the entitlement        data in the set as reconstructed at the client as a function of        the order in which the corresponding bits are included in the        string of bits.

The present invention also relates to a server system for communicating,according to the method previously described, a set of entitlement datarepresentative of the entitlement of at least one client to accesscorresponding contents data, the server system being configured forsharing with the at least one client the non-invertible function and oneof the set of keys and the bit string and for transmitting to the atleast one client the other of the set of keys and the bit string.

The server system may be implemented as a special purpose hardwareprocessor configured for applying the non-invertible function to stringof bits by using the set of keys.

According to a further aspect thereof, the present invention relates toa client system co-operable with the above server system, wherein theclient system is configured for:

-   -   receiving from the server system the other of the set of keys        and the bit string, and    -   applying the non-invertible function to the string of bits by        using the set of keys, thereby reconstructing the set        entitlement data.

Finally, the present invention relates to a computer program product,loadable in the memory of at least one computer and including softwarecode portions for performing the steps of the method previouslydescribed.

BRIEF DESCRIPTION OF THE ANNEXED REPRESENTATIONS

The invention will now be described, by way of example only, byreferring to the enclosed figures of drawing, wherein:

FIG. 1 is generally illustrative of the context of use of the invention,

FIG. 2 is a flow chart illustrative of a processing procedure performedwithin the arrangement described herein;

FIG. 3 is a flow chart illustrative of a processing procedurealternative to the processing procedure illustrated by the flow chart ofFIG. 2;

FIG. 4 is a flow chart illustrative of another processing procedureperformed within the arrangement described herein; and

FIGS. 5 and 6 show two possible ways of transmitting the enablement dataaccording to the inventions.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION

The arrangement described herein is based on the use of non-invertiblecryptographic functions to generate and check entitlement data, that isdata that represent the ability of a certain user to access (that is totransmit, read, exploit, process and so on) corresponding contents data.

Essentially, a Rights Issuer, indicated as RI in the diagram of FIG. 1,namely the party granting the rights, sends a Rights Object RO, such ase.g. a bit string S of arbitrary length, to one or more potential usersU.

In other words, the Rights Issuer RI (hereinafter the “server”) is tocommunicate to each user U (hereinafter the “client”) entitlement datathat represent the entitlement for each client U to access (that is e.g.play, execute, record, export, transmit in any form and so on)corresponding contents data such as data representative of a piece ofmusic and so on.

While a single client U will be referred to throughout the descriptionfor the sake of simplicity, those of skill in the art will appreciatethat the arrangement described herein can be easily extended toscenarios including a plurality of clients U (and a plurality of serversRI).

The server RI and the (or each) client U will also share a set K of nsecret keys k1, k2, . . . , kn, one for each right to be represented, aswell as a specific non-invertible cryptographic function f. It will beassumed that the rights are expressed by a set P of predicates p1, p2, .. . , pn (the number of keys being the same of the number ofpredicates).

Any non-invertible cryptographic function is adapted for use within theframework of the arrangement described herein. Exemplary of suchnon-invertible cryptographic functions are e.g. HMAC-x functions where xis a hash function, such as:

-   -   HAVAL,    -   MD2, MD4, MD5,    -   N-Hash,    -   RIPEMD (RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-3U),    -   SHA (SHA-0), SHA-1 and SHA-2 (SHA-256, SHA-384, SHA-512),    -   Snefru, Snefru-2    -   Tiger,    -   Whirlpool, Whirlpool-0    -   GOST-Hash,    -   HAS-160, HAS-V,    -   Panama,    -   MGF1.

HMAC-MD5 and HMAC-SHA1 currently represent preferred choices. All theprevious functions yield results composed from a certain number of bits,while in the present invention it is required just one bit, to representa true/false value. Therefore a mapping function between the hash resultand a single true/false value is needed.

In a preferred embodiment of the arrangement described herein the serverRI and the client U share a transformation function T that is adapted toextract a single bit out of an arbitrary long sequence of bits X.

Such function T must essentially satisfy three requirements:

-   -   it must be deterministic;    -   it must depend in certain way from each bit of the sequence X;    -   it should preferably provide zero or one as output results with        the same probability (namely ½ or 50%).

An example of the function T having such features is the exclusive-OR(XOR) function of each bit in the sequence X.

The combination of the HMAC-x function (H) and the said mapping function(T) in the following is referred to as function f, i.e. f(ki, S)=T(H(ki,S)).

This function f can be defined a priori for the whole life of thesystem. Otherwise, it can be negotiated between the client U and theserver RI. For the sake of completeness one might also consider the“degenerate” case wherein all these entities are known a priori to theclient U, whereby such a client U is always enabled to execute the sameset of predicates, granted a priori by the server RI.

The function f uses as a first parameter one of the keys k1, k2, . . . ,kn included in the key set K and as a second parameter the string ofbits S.

Given the string S, the server can calculate the keys ki by varying eachki until a predetermined output f(ki, S) is obtained.

In the embodiment herein after described with reference to FIG. 2, S ispreliminary agreed and shared between server RI and client U (togetherwith function f) and the set of keys k1, k2, . . . , kn and the rightsare transmitted from RI to U by sending the keys k1, k2, . . . , kn(instead of the predicates p1, p2, . . . , pn), as shown in FIG. 5. Indetail, by referring to the flow chart of FIG. 2, after a start step100, in a step 102 the server RI chooses a certain string of bits S(e.g. randomly, or with value 0). The server RI is thus in a position ina step 104 to start orderly generating the set of binary keys ki.

In a step 106 the server RI selects a first key value (e.g. randomly, orwith value 0) for ki. In a step 108 the server RI applies the function fto the candidate string previously generated and the selected key andchecks whether the result thus obtained corresponds to the entitlementdata (predicates) p_(i) to be transmitted.

If that is not the case (negative output of the step 108) in a step 110a new key ki is selected (e.g. randomly, or with value incremented by 1)and the process of applying the function f to the candidate stringpreviously generated is repeated with the newly selected key.

When the step 108 yields a positive outcome, which is indicative of a“good” key ki having been found (step 112), the server RI generates in astep 114 a new index i (i=i+1) in order to go on with the generation ofthe next ki and the comparison with the next pi.

This occurs after a step 116 wherein a check is made to see if all thekeys ki (i ranging from 1 to n) have been already generated.

The sequence of steps described in the foregoing (steps 106 to 112) isrepeated until all the keys ki have been generated.

The process is terminated once the step 116 indicates that all the keyski have been generated, after which the process evolves to a stop state118.

Provided that the function f is selected as a cryptographicnon-invertible function having a uniform distribution of its outputs, apossibility always exists of finding at least one bit string in the setof candidate strings that satisfies the requirement indicated in theforegoing.

In particular, if the function f is selected as a cryptographicnon-invertible function having a uniform distribution of its outputs,the probability that the desired result is obtained at each test is ½ ateach test and is constant for all the keys ki, whereby the number ofsteps required for the server RI to locate the “useful” binary string ison the average less than 2n, wherein n is the number of keys in the setof keys. As previously anticipated, this method is used when RI and Ushare S and f as a secret and want to communicate all the ki keys as arepresentative of the corresponding entitlement predicates.

As an alternative, the server RI may proceed by preliminary selecting agiven set of keys ki and subsequently applying the function f to suchkeys to generate the binary string S, which is transmitted to the clientU, as shown in FIG. 6. This method is used when the RI and the U sharek1, . . . , kn and f as a secret and want to communicate S as arepresentative of the corresponding entitlement predicates.

This alternative mode of operation is illustrated by the flow chart ofFIG. 3.

After a start step 200, in a step 202 the server RI chooses a startingstring of bits S and, in a step 204, initializes to 1 the index i ofkeys ki (i.e., ki is set to k1).

In a step 206 the server RI applies the function f to the candidatestring S previously generated and the current key ki and checks whetherthe result thus obtained corresponds to the entitlement data(predicates) pi to be transmitted.

If that is not the case (negative output from step 206) in a step 208 anew bit string S is generated and the process of applying the function fto the key ki previously generated is repeated with the newly generatedbit string.

When the step 206 yields a positive outcome, which is indicative of a“good” string having been found for the current key ki, in a step 212the server RI increases of one unit the index i of keys ki (i=i+1), inother words selects the next key in the set K. This occurs after a step210 wherein a check is made as to whether a new key in the set K isavailable to be selected (i.e. that not all these keys have been triedalready).

The sequence of steps described in the foregoing (steps 206 to 212) isrepeated with the key selected.

The process is terminated once the step 210 indicates that all the keysin the set K have been successfully tried, after which the selected bitstring is stored in a step 214 and the process evolves to a stop state216.

If the function f is selected as a cryptographic non-invertible functionhaving a uniform distribution of its outputs, the probability that thedesired result is obtained is ½ at each test and is constant for all thekeys ki, whereby the number of steps required for the server RI tolocate the “useful” binary string is on the average of the order of2^(n), wherein n is the number of keys in the set of keys and thecorresponding predicates.

One may thus decide how many steps are to be performed in order torender the process more or less simple to perform from the computationalviewpoint. This can be achieved in several ways: by varying the numberof predicates (n) contained in the predicate set, or by grouping the npredicates into 2 or more different sets, or by choosing the function fin order to have an output distribution that is not statisticallyuniform.

For instance, the server RI may proceed by creating two groups or setsincluding m and n-m rights, respectively (typically with m=n−m=n/2).Once the keys ki are selected, a first string S1 is computed for thefirst group of rights in a time proportional to 2^(m) and then a secondstring S2 is computed for the second group of rights in a timeproportional to 2^(n-m). If m=n/2 the overall time is proportional to2^(n/2). The string expressing the whole of the rights is thus obtainedas the concatenation of S1 and S2.

Quite obviously, the server RI and the client U may agree on more thantwo groups for arranging the rights.

Grouping the rights can therefore make easier to compute S by the serverRI.

As illustrated in FIG. 4, the check of rights by the client U is alwaysan immediate one.

When the client U wants to verify whether it possesses a given right(that is a given entitlement data), after a start step 300, in a step302 the client U initializes to 1 the index i of keys ki of the set Kshared with (or received from) the server RI. Then, in a step 304, theclient U takes the string of bits received from (or shared with) theserver RI and calculates the function f (ki, S) for the first key K1.

The computation of step 304 is then repeated for all the keys in the setK, namely k1, k2, . . . , kn, after having checked that there are otherkeys to be selected (negative outcome of check step 306) and having thenincreased of one unit the key index i (step 308)

When the function f has been applied for all the keys (positive outcomeof the step 306) the system evolves to a stop 310, which is indicativeof the fact that all the entitlement data pi have been read.

The result of this process for each data item/right p_(i) is a binaryvalue (“0” or “1”) that may be conventionally associated with a givenmeaning, for instance “0”=“false” and “1”=“true”.

That result is used to assign the corresponding meaning to the i-thpredicates of the ordered set P of predicates that comprise thepre-established set of all the possible conditions of use of a givendigital good. If a “true” value is allotted to a given predicate, thepredicate is held to be valid and must be taken into account inverifying the license. If, conversely, the value allotted is “false”,the predicate is ignored.

Permission to use a given digital good is given only if at least onetrue predicate exists that authorises the specific use requested (forinstance: “PLAY”, “EXECUTE”, “RECORD”, “EXPORT”, and so on) and if allthe restrictions applicable thereto (expressed by other true predicate)are satisfied.

For instance a “PLAY” request by a client device made in respect of agiven piece of music is satisfied if a true predicate exists stating“you are entitled to execute the PLAY function on that content” andcertain restrictive predicate (for instance “you are entitled to playeach function only three times”) are satisfied.

The entitlement data to be communicated within the context of thearrangement described herein essentially represent a license for use ofthe contents data protected. In order to avoid improper use, the licenseis applicable to a given content item and not to other content items. Infact, one purpose of the arrangement described herein is to preventunlawful large scale distribution of forged rights concerning protectedcontents.

As detailed in the foregoing, the server RI and the client U sharecertain basic information in the form of “secret” required to ensurecommunication between them.

First of all, the server RI and the client U share a function f adaptedto perform non-invertible transformation of data sequences by means of apre-defined set of cryptographic algorithms as described above.

Moreover, the client RI and the server U may share:

-   -   an orderly numerated set of predicates P={p1, p2, . . . pn} that        comprise the ontology of the possible rights and the related        restrictions, possibly expressed by means of parameters whose        values can vary for each case (for instance: “the user has the        right to perform the “PLAY” operation of the contents”, “the        “PLAY” right is restricted by the counter x”, “the right “PLAY”        can be exploited only starting from the date y” and so on);    -   a corresponding ordered and numerated set of symmetric        cryptographic keys K={k1, k2, . . . kn}.

Also in the case of parametric predicates (for instance “the “PLAY”right is restricted by the counter x”) the parameter can in turn beexpressed by means of set of predicates (for instance p1=“the “PLAY”right is restricted by the counter 1”, p2=“the “PLAY” right isrestricted by the counter 2”, p1 AND p2=the “PLAY” right is restrictedby the counter 3”, and so on).

The arrangement previously described herein is therefore a completelygeneral one, in that it lends itself also to transmitting such“parametric” rights.

Further information may be exchanged when the client U starts thecommunication protocol by requesting from the server RI the rightconcerning a specific data contents.

Irrespective of the specific format of the data transmitted, theinformation exchanged between the server RI and the client U during theexecution of the protocol may be of the following type (of course thefollowing example is provided only to better illustrate a possibleembodiment of the invention and must in no way be construed in alimiting sense of the scope of the invention):

-   -   the client U sends to the server RI a message M requesting a        user license concerning a given protected content. The message M        indicates the identity of the client U, the identifier of the        protected contents for which the user right is requested, the        date of the request and the serial number of the request;    -   the server RI identifies the client U and then verifies that the        client U has the right of being provided a user license in        respect of the contents requested. Additionally, the server RI        creates that license and transmits it to the client U.

The license is comprised of the combination of various data.

A first set of data includes a set of parametric values V={v₁, v₂, . . .v_(k)} representative of e.g. dates, counters, symbolic identifiers ofgeographic locations that, when applied to the set of predicates Passign a given value to the set of predicates P thus making it possibleto construct each predicate in univocal manner.

The license further includes the string of bits S which, as described inthe detail in the foregoing, through the application of a non-invertiblecryptographic function f to the string S and a set of keys K={k1, k2, .. . kn}, gives rise to a set of n values f(k_(i), S), representative ofthe entitlement predicates.

The license may possibly include additional data such as a time stamp ora digital signature, adapted to prevent known attacks such as so-called“reply attack” or forging of the license. These additional data and thealgorithms possibly related to them are generally of a known type and donot represent essential features of the arrangement described herein,thereby making it unnecessary to provide a more detailed description.

When the client U receives the license, it checks it for authenticity byusing cryptographic techniques that are known in the art and do notrequire to be described in detail herein.

Thereafter (as previously described in connection with FIG. 4), theclient U applies to the string S the non-invertible function f by usingits own keys K={k1, k2, . . . kn} thereby obtaining a numbered andordered set of binary values B={b₁, b₂, . . . b_(n)}. In mathematicalterms, each binary value b_(i) can be obtained directly from the stringof bits S by the following formula:b _(i) =f(k _(i) ,S).

By assigning to each binary value a standard meaning such as e.g.“1”=“true” and “0”=“false”, it is possible to group separately the“true” binary values and the “false” binary values to form a subset of“true” predicates P_(t) and a subset of “false” predicates P_(f).

Since the informative content of the false predicates is nil, the wholesubset of the false predicates P_(f) can be ignored. Therefore, thecomplete semantic content of the license is expressed by the subsetP_(t) only. However, P_(t) may possibly contain predicates that expressconditions related to a parametric value (value, date, and so on).

In that case, in order to obtain a set of predicates adapted to be usedas semantic knowledge of the conditions of use of digital good, theclient U assigns to each parametric predicate of the set P_(t) thecorresponding value contained in the set V. The association of value andpredicate in this case is univocally determined by the order in whichthe values v₁, v₂, . . . v_(n) in the set V are transmitted in thelicense, which corresponds to the order of the predicates in P_(t)(which is the same as in the set P, by ignoring the predicates includedin P_(f)).

At the end of this processing, the client U obtains a set of predicatesP_(t)(V) that expresses the conditions of use of the digital good. Ofcourse, the client is put in a position to construct these conditionsand to enforce respect thereof. Additionally, the code itself of theclient U must be exempt from vulnerability and must be protected againsttampering. These results can be achieved by known means that will not bedescribed in detail herein.

Consequently, in order to generate the binary string S, the server RImust take into account how such a string will be used by the client U toidentify P_(t).

It will be assumed for the sake of simplicity that the server RI imposessuch rights to the client U and is in a position to express them in theform of a parametrical subset of P which corresponds to the subsetdesignated P_(t)(V) in the foregoing.

The ordered set of the parametrical values V is transmitted to theclient U without further processing. However, the configuration of P_(t)is indicated via the following steps.

For each predicate p_(i) in the ordered set P, if the predicate ispresent in P_(t), the value one is assigned to the predicate.Alternatively, if the predicate is absent from P_(t) the value 0 isassigned thereto. The string of bits thus obtained (that has a lengthequal to the cardinality of P) forms an ordered set B(P)={b₁, b₂, . . .b_(n)}.

Subsequently the server RI generates a random string S of arbitrarylength. Then the server RI computes (by using the keys K shared with theclient U) the ordered set B(S) generated from S by using the formulab_(i)=f(k_(i), S).

The server RI compares B(S) with B(P). If the two ordered sets areidentical, the server transmits the string to the client U. Otherwise,computation restarts with the generation of a new random sequence ofbits, as described above (FIG. 3).

Since the function f is non-invertible, no other computational schemeexist for determining S other than an approach based on repeatedattempts (that is an approach currently referred to as “brute force”computation).

Since the transformation function T is selected in such a way to producevalues 0 and 1 as equi-probable outputs each value has a 50% probabilityto be generated. Consequently, the probability of obtaining exactly thedesired sequence of bits B(P_(t)) is ½ if P includes a single predicate,(½)² if P contains 2 predicates and in general (½)^(n) if P contains npredicates.

Consequently, the cardinality of P determines according to anexponential law the computational load associated with calculating B(P).

This fact can be exploited in order to render more difficult, andconsequently not advantageous from the economical point of view, theunlawful distribution of forged licenses, even when other securitymeasures have been overcome or defeated.

For instance, by assuming that an acceptable computational time for thegeneration of a lawful license is of the order of one minute, and byassuming that a possible attacker is in a position to use a serverhaving an equivalent computational power to distribute unlawfullicenses, the generation and distribution of a forged license to onemillion of fraudulent users would require 694 days, that is slightlyless than two years. This fact per se is useful to prevent piracyphenomena based on forging of use rights related to given contents.

A further computational barrier can be provided by implementing inhardware those functions required to compute b_(i)=f(k_(i), S), forinstance by using a bank of parallel processors configured to explorevery rapidly a large set of hypotheses for S. In that case, a “lawful”server RI will have a very strong advantage in terms of computationalpower, thereby making “pirate” servers implemented in software formpractically useless.

However, the arrangement described herein can be implemented also in theform of software code (namely a computer program product) adapted to beexecuted on general-purpose computers or on dedicate computers.

For instance, the server RI can be implemented in a workstation havingaccess to the Internet in such a way to communicate with the clients Uby using a TCP/IP protocol. In that case, the client U can beimplemented in the form of a special purpose device, e.g. a digitalmusic player adapted to be connected to the Internet via a Wi-Ficonnection.

As an alternative, the server RI and the client U can communicate over atelephone network (both of the fixed and the mobile type) or by usingbroadcast transmission via satellite, cable or terrestrial broadcasting.In the specific case of broadcast transmission (namelypoint-to-multipoint-communication) from one server RI to one of theplurality of clients the specific instances of the server RI and theclients U are currently referred to as “head end” (HE) and “set top box”(STB). The arrangement described herein can be applied to the case ofbroadcast transmission, provided the set of predicates P and the set ofkeys K are pre-installed in the set top boxes and the head end is awareof the set of keys K installed on each set top box. In that case, thehead end can compute for each set top box the string S comprising theuser license of a given content (for instance, a program being broadcastat that moment). In the broadcast case, the licenses are generallytransmitted before broadcasting the program to which they apply. Infact, the client U will not be generally in a position to request alicense at the moment of use.

Another specific case is a client device U comprised of a mobile phoneconnected to the server RI via a cellular network. In that case, theserver RI and the client U can communicate in a bi-directional manner byusing a limited bandwidth, and the arrangement described herein has theadvantage of exploiting the bandwidth in an extremely efficient mannersince the license is represented in a very compact way: the server RImay search for the string S to transmit to the client U among thosehaving a minimum length (compatible with the information entropy of theentitlement data to be transmitted) in order to optimise use ofbandwidth.

On the server side, the arrangement described herein can be implementedby using dedicated hardware components for computing the values f(k_(i),S). Such a computation can be easily performed in a parallel fashionsince the various values f(k_(i), S) are independent from each other. Ahardware component adapted to compute in parallel all the values forf(k_(i), S) could find out the string of bits S adapted to betransmitted and corresponding to the desired sequence of bits for B(P)in much shorter time in comparison with a software implementation, whichis linked to a sequential execution of the various processing steps.This may give a significant computational advantage to a hardware serverin comparison to possible attackers using software implementations.

As already described in the foregoing, in exchanging information betweenthe server RI and the client U, at least two alternative cases can beconsidered in so far as computing the function f(k_(i), S) is concerned.

In the first place, the server RI and the client U share a fixed value Sfor each license. The server RI identifies a set of keys K such thatf(k_(i), S)=B(P) and transmits such keys (in the license) to the clientU together with the parametrical values V and other possible data. Inthat case, the computation complexity is linear and directlyproportional to number of keys (and corresponding predicates).

In the second case (which represents the presently preferred embodimentof the arrangement described herein) the server RI and the client Ushare for each license the keys in the set K (for instance the keys arepre-installed on the client U and are known to the server RI).Consequently, the server determines a string of bits S such thatf(k_(i), S)=B(P) by varying S until values satisfying the equation isfound. In this case the computational complexity is an exponentialfunction of the number of keys. This latter case is preferred in so faras it sets a very high computational barrier required in order to grant(lawfully) licenses while also minimising the quantity of data to beexchanged between the server RI and the client U (in fact, a singlestring S is sent in the place of n keys).

Other possible variants include the possibility for the server RI andthe client U to negotiate which function f is to be used out of a knownset previously installed on the respective machines. Alternatively, thepossibility exists of downloading in a secure manner from the server RItowards the client U the function f to be used. The same can also beapplied to the set of data that are pre-installed on the client U whichinclude a set of predicates P, the keys K and default values for V.

Consequently, without prejudice to the underlying principle of theinvention, the details and the embodiments may vary, even significantly,with respect to what has been described by way of example only, withoutdeparting from the scope of the invention as defined by the annexedclaims.

The invention claimed is:
 1. A method of communicating a set ofentitlement data from a server to at least one client, the set ofentitlement data including a set of predicates representative ofentitlement of the at least one client to access corresponding contentdata stored on the server, comprising the steps of: determining a set ofkeys each corresponding to a predicate in said set of predicates,wherein each key in said set of keys is determined by varying said keyand calculating a result of a non-invertible function being applied to abit until said result is equal to the corresponding predicate; causingsaid server and said at least one client to share said non-invertiblefunction and one of said set of keys and said bit string; andtransmitting from said server to said at least one client the otherremaining one of said set of keys and said selected bit string that isnot shared with said at least one client.
 2. The method of claim 1,wherein the non-invertible function is a non-invertible cryptographicfunction.
 3. The method of claim 1, comprising selecting said bit stringout of a set of candidate bit strings.
 4. The method of claim 1,comprising the steps of: causing said server and said at least oneclient to share said non-invertible function and said set of keys; andtransmitting from said server to the at least one client said bitstring.
 5. The method of claim 1, wherein said non-invertible functionhas a uniform distribution of outputs as a function of inputs.
 6. Themethod of claim 1, wherein said non-invertible function is a messageauthentication code function.
 7. The method of claim 6, wherein saidnon-invertible function is a HMAC-x function where x is selected fromthe group: HAVAL, MD2, MD4, MD5, N-Hash, RIPEMD, RIPEMD-128, RIPEMD-160,RIPEMD-256, RIPEMD-3U, SHA, SHA-0, SHA-1 and SHA-2, SHA-256, SHA-384,SHA-512, Snefru, Snefru-2 Tiger, Whirlpool, Whirlpool-0 GOST-Hash,HAS-160, HAS-V, Panama, and MGF1.
 8. The method of claim 7, wherein saidnon-invertible function is selected from the group: HMAC-SHA-1 andHMAC-MD5.
 9. The method of claim 3, comprising the steps of: orderlyselecting said keys in said set of keys; and subsequently using each keyorderly selected in said set of keys for applying said non-invertiblecryptographic function to newly generated candidate bit strings in saidset of candidate bit strings.
 10. The method of claim 1, comprising thesteps of: partitioning said set of entitlement data into at least afirst and a second subset of entitlement data; and applying saidnon-invertible function and keys of said set of keys to said at least afirst and a second subset of entitlement data to produce at least afirst and a second bit string that respectively produce said at least afirst and a second subset of entitlement data as a result of anon-invertible cryptographic function being applied to said at least afirst and a second bit string by using said set of keys, whereby saidset of entitlement data is expressed by the concatenation of said atleast a first and a second bit string.
 11. The method of claim 10,wherein said at least a first and a second subset of entitlement datacomprise the same amount of entitlement data.
 12. The method of claim 1,further comprising the steps of: receiving at said client the other ofsaid set of keys and said bit string; and applying said cryptographicfunction to said string of bits by using said set of keys, therebyreconstructing at said client said set entitlement data.
 13. The methodof claim 12, comprising the steps of: said server associating with saidentitlement data parametric values expressing conditions for access bysaid at least one client to corresponding contents data; and said clientassociating said parametric values to said entitlement data in said setas reconstructed at said client as a function of the order in which thecorresponding bits are in said string of bits.
 14. A server systemcapable of communicating according to the method of claim 1, andcomprising a set of entitlement data representative of entitlement of atleast one client to access corresponding content data, said serversystem being configured for sharing with said at least one client anoninvertible function and one of a set of keys and a bit string and fortransmitting to said at least one client the remaining one of said setof keys and said bit string that is not shared with said at least oneclient.
 15. The server system of claim 14, wherein said server system isimplemented as a special purpose hardware processor configured forapplying said non-invertible function to a string of bits by using saidset of keys.
 16. A client system cooperable with the server system ofclaim 14, comprising: a client system configured for: receiving fromsaid server system the other of said set of keys and said bit string;and applying said non-invertible function to a string of bits by usingsaid set of keys, thereby reconstructing said set of entitlement data.17. A non-transitory computer readable medium encoded with a computerprogram product, loadable into a memory of at least one computer, thecomputer program product comprising software code portions forperforming the method of claim 1.